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As improvements are made to the Shuttle or its processes and as more is learned 
regarding its operation, the Shuttle PRA is updated 

Updates incorporated into Iteration 3.2 include 

— Addition of Orbiter Flight Software 

— Updated Pyro modeling 

— Incorporation of Orbiter Review Summit comments 

— Updated MMOD and Ascent Debris 

— Data was updated based upon iteration 3.0 review. 
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The following table is a cross-referenced list showing the features included in each 
model iteration. 


Model Features 

Model Iteration 

1.0 

2.0 

2.1 

2.2 

3.0 

3.1 

3.2 

Integrated Model 

S 

✓ 

v' 

✓ 

✓ 

✓ 

✓ 

Phased Approach 

S 

✓ 

✓ 

✓ 

v' 

✓ 

✓ 

Engineering and Peer Reviewed Data 


✓ 

✓ 

✓ 

v' 

✓ 

✓ 

Documented Model 


✓ 

v' 

✓ 

v' 

✓ 

v' 

TPS Inspection and Repair 




✓ 

v' 

✓ 

✓ 

Contingency Shuttle Crew Support (CSCS) 





✓ 

✓ 

✓ 

Intact Aborts (RTLS, TAL, ATO) 





✓ 

✓ 

v' 

Collision During Rendezvous and Docking 





v' 

✓ 

v' 

Orbiter Flight Software 







✓ 


5 / 13/10 
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• The Shuttle PRA has been incrementally developed over many years 

- Mission Phases (Ascent, Orbit, Entry) 

- Number of Systems Modeled 

- Risk Factors considered (systems failures, phenomenological failures, human reliability, external 
events, etc.) 

• The advent of established NASA requirements, standards, and tools - as well as the 
development of a strong shuttle program PRA team have resulted in significant recent progress 

• Iteration 3.2 is the most comprehensive Shuttle PRA to date 
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INCREASING FIDELITY AND EXPANDED SCOPE 
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The mean probability of LOCV for Shuttle as currently calculated by iteration 3.2 of the SPRA is: 


Mean - 1.1E-02 (1:89) 


Median -1.1E-02 (1:93) 


5 th percentile - 7.9E-03 (1:130) 


95 th percentile - 1.6E-02 (1:63) 



Probability 


• This is a decrease from SPRA Iteration 3.1 which had a mean estimate of 1:85 


• Considering the improvements that have been made, these results are consistent with an 
empirical calculation of 2 failures in 131 missions which gives a 1 in 66 probability of LOCV 


5 / 13/10 
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Rank 

%age of 
Total 

Cumulative 

Total 

Point Estimate 
Probability 
(l:n) 

Failure Scenario Description 

l 

29.4 

29.4 

3.3E-03 

(1:300) 

Micrometeoroid and Orbital Debris 
(MMOD) strikes Orbiter on orbit leading 
to LOCV on orbit or entry 

2 

13.4 

42.8 

1.5E-03 

(1:670) 

Space Shuttle Main Engine (SSME)- 
induced SSME catastrophic failure 

3 

9.5 

52.3 

1.1E-03 

(1:940) 

Ascent debris strikes Orbiter Thermal 
Protection System (TPS) leading to LOCV 
on orbit or entry 

4 

7.3 

59.6 

8.2E-04 

(1:1200) 

Crew error during entry 

5 

5.8 

65.4 

6.5E-04 

(1:1500) 

Reusable Solid Rocket Motor (RSRM)- 
induced RSRM catastrophic failure 

6 

2.0 

67.4 

2.3E-04 

(1:4400) 

Orbiter flight software error results in 
catastrophic failure during ascent 
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Rank 

%age of 
Total 

Cumulative 

Total 

Point Estimate 
Probability 
(l:u) 

Failure Scenario Description 

7 

1.6 

69.0 

1.8E-04 

(1:5600) 

Ammonia Boiler System (ABS) isolation 
valve leaks on Orbit overcooling the H20 
loops and crew is unable to prevent rupture 
of the interchanger resulting in Loss of All 
Cooling 

8 

1.5 

70.5 

1.7E-04 

(1:5900) 

Solid Rocket Booster (SRB) APU shaft seal 
fracture 

9 

1.2 

71.7 

1.3E-04 

(1:7600) 

Flow Control Valve (FCV) poppet failure 
causes rupture in the GH2 re- 
pressurization line 

10 

1.2 

72.9 

1.3E-04 

(1:7700) 

Collision of the Orbiter with the 
International Space Station (ISS) during 
rendezvous and docking 
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1.E-05 1.E-04 1.E-03 1.E-02 1.E-01 

* Some overlap in risk exists. For example, a cut set containing both a mechanical failure and a human error that 
result in failure to lower the landing gear is counted in both the Orbiter hardware contributor and the human error 
contributor. 



SPACE SHUTTLE PROGRAM 

Space Shuttle Safety and Mission Assurance Office 

NASA Johnson Space Center, Houston, Texas 


SPRA ITERATION 3.2 CONTRIBUTIONS BY 

Presenter Roger Boyer 

PHASE 

Date 10/26/10 

Page 1 0 


ESTIMATED PHASE CONTRIBUTIONS TO WHEN LOCV IS INITIATED 


Phase 

5 th 

Mean 

95th 

Ascent 

1:350 

1:200 

1:110 

Orbit 

1:340 

1:210 

1:130 

Entry 

1:1100 

1:700 

1:460 



ESTIMATED PHASE CONTRIBUTIONS TO WHEN LOCV IS REALIZED 


Ascent 

Orbit 

Entry 



Phase 

5 th 

Mean 

95th 

Ascent 

1:480 

1:260 

1:150 

Orbit 

1:1100 

1:570 

1:320 

Entry 

1:280 

1:180 

1:110 


1.E-04 


1.E-03 


1.E-02 












Normalized Risk 
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• Intact abort due to Benign Engine Shutdown or Stuck Throttle represent 
<1% of the overall risk. 

- The probability of a Benign Engine Shutdown is ~ 1 :320 

- Return to Launch Site (RTLS) abort represents the largest fraction of the abort risk 
(57%) mainly due to the higher likelihood of having an engine out early 
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• Iteration 3.2 of the SPRA lends itself to any number of sensitivities being 
performed; however, given its current applications, the following sensitivities 
studies were considered to be the most informative: 

- No late inspection 

• In this sensitivity the basic event capturing the probability of detecting damage during late inspection is set 
to 1 .0 and the false positive TPS damage during late inspection and late inspection induced TPS damage 
are set to zero. 

- No crew rescue 

• In this sensitivity crew rescue is set to 1 .0 and the risk from false positive TPS damage is zeroed out 
because since there is no critical damage the vehicle returns safely 

- No TPS repair 

• In this sensitivity the all TPS damages are considered irreparable and crew rescue is chosen as the 
mitigation for detected critical damage 

16.0 

14.0 - 

12.0 - 

10.0 - 

8.0 - 

6.0 - 

4.0 - 

2.0 - 


Mission Risk 

Per Mission Probability 

5 th 

Percentile 

Mean 

95 th 

Percentile 

Baseline 

1:130 

1:89 

1:63 

No Late Inspection 

1:110 

1:77 

1:54 

No Crew Rescue 

1:110 

1:79 

1:55 

No TPS Repair 

1:120 

1:85 

1:59 


0.0 


No Late Inspection 


No Crew Rescue 


No TPS Repair 
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Establish project management and funding through the same path 

• If you don’t, your team will have different bosses thus you will not have a 
team 

Establish a single overall PRA technical authority 

• Don’t call desired methods as guidelines, if you want the team to follow 
them... 

Document, document, document (capture the basis of the PRA) 
provide tracability (the rabbit trail) of assumptions to results, if you 
wait to document after presenting the results you will be 
embarrassed as a minimum. 

Get buy in from domain experts early (i.e. before going to present 
to management) 
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Start the independent peer review up front with them reviewing the 
plan, then coming back later to ensure that the plan was followed 
correctly (also make sure you are ready for the peer review). The 
peer review should cover both the scope/content of the PRA as 
well as the PRA methodology used. 

Configuration control should be initiated when the PRA is initiated. 

Begin with the end in mind. Sounds simple. Now try 
implementing it. 

• Get the Hazard analysis, FMEA, and PRA teams working together versus 
answering the same questions with different approaches and minimum to 
no communication and/or integration. 

• Mission phases definition is very important as the number of potential 
phases increases the complexity of the model orders of magnitude. For 
example, abort modeling from ascent to on-orbit initiated. 
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The Shuttle is a very reliable vehicle in comparison with other launch systems. 
Much of the risk posed by Shuttle operations is related to fundamental 
aspects of the spacecraft design and the environments in which it operates. It 
is unlikely that significant design improvements can be implemented to 
address these risks prior to the end of the Shuttle program. 


The model will continue to be used to identify possible emerging risk drivers 
and allow management to make risk-informed decisions on future missions. 
Potential uses of the SPRA in the future include: 

Calculate risk impact of various mission contingencies (e.g. late inspection, crew 
rescue, etc.) 

Assessing the risk impact of various trade studies (e.g. flow control valves) 

- Support risk analysis on mission specific events, such as in flight anomalies. 
Serve as a guiding star and data source for future NASA programs 
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Rank 

%age of 
Total 

Cumulativ 
e Total % 

Probability 

Description 

Phase Initiated 

Phase Realized 

1 

29.4 

29.4 

3.3E-03 
(1 in 300) 

Micrometeoroid and Orbital Debris (MMOD) strikes Orbiter on orbit 
leading to LOCV on orbit or entry 

Orbit 

Orbit, Entry 

2 

13.4 

42.8 

1.5E-03 
(1 in 670) 

Space Shuttle Main Engine (SSME)-induced SSME catastrophic 
failure 

Ascent 

Ascent 

3 

9.5 

52.3 

1. IE-03 
(1 in 940) 

Ascent debris strikes Orbiter Thermal Protection System (TPS) 
leading to LOCV on orbit or entry 

Ascent 

Orbit, Entry 

4 

7.3 

59.6 

8.2E-04 
(1 in 1200) 

Crew error during entry 

Entry 

Entry 

5 

5.8 

65.4 

6.5E-04 
(1 in 1500) 

Reusable Solid Rocket Motor (RSRM)-induced RSRM catastrophic 
failure 

Ascent 

Ascent 

6 

2.0 

67.4 

2.3E-04 
(1 in 4400) 

Orbiter flight software error results in catastrophic failure during 
ascent 

Ascent 

Ascent 

7 

1.6 

69.0 

1.8E-04 
(1 in 5600) 

Ammonia Boiler System (ABS) isolation valve leaks on Orbit 
overcooling the H20 loops and crew is unable to prevent rupture of 
the interchanger resulting in Loss of All Cooling 

Orbit 

Orbit 

8 

1.5 

70.5 

1.7E-04 
(1 in 5900) 

Solid Rocket Booster (SRB) APU shaft seal fracture 

Ascent 

Ascent 

9 

1.2 

71.7 

1.3E-04 
(1 in 7600) 

Flow Control Valve (FCV) poppet failure causes rupture in the GH2 
re-pressurization line 

Ascent 

Ascent 

10 

1.2 

72.9 

1.3E-04 
(1 in 7700) 

Collision of the Orbiter with the International Space Station (ISS) 
during rendezvous and docking 

Orbit 

Orbit 

11 

1.1 

74.0 

1.3E-04 
(1 in 7900) 

Auxiliary Power Unit (APU) external leak on entry 

Entry 

Entry 

12 

1.0 

75.0 

1.2E-04 
(1 in 8600) 

SRB booster separation motor debris strikes Orbiter windows 

Ascent 

Ascent 
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Rank 

%age of 
Total 

Cumulative 
Total % 

Probability 

Description 

Phase Initiated 

Phase Realized 

13 

1.0 

76.0 

1. IE-04 
(1 in 8900) 

Reaction Control System (RCS) thrusters burnthrough on orbit 

Orbit 

Orbit 

14 

1.0 

77.0 

1. IE-04 
(1 in 9300) 

RCS Fuel System external leakage on orbit reacts with 02 on entry 

Orbit 

Entry 

15 

1.0 

77.9 

1. IE-04 
(1 in 9300) 

Orbital Maneuvering System (OMS) Fuel System external leakage 
on orbit reacts with 02 on entry 

Orbit 

Entry 

16 

0.9 

78.9 

1.0E-04 
(1 in 9500) 

Orbiter inspections (Flight Day 2 and late) produce false positive 
indications of damage, resulting in a failed crew rescue attempt 

Orbit 

Orbit 

17 

0.9 

79.8 

1.0E-04 
(1 in 9700) 

Power Reactant Storage and Distribution (PRSD) tank rupture 

Orbit 

Orbit 

18 

0.9 

80.7 

1.0E-04 
(1 in 9800) 

External Tank (ET) separation pyro-bolt or frangible nut fail to 
separate (Including Pyrotechnic Intiator Controller (PIC)/NASA 
Standard Initiator (NSI)) 

Ascent 

Entry 

19 

0.9 

81.6 

9.6E-05 
(1 in 10,000) 

Functional failure booster separation motor during SRB separation 

Ascent 

Ascent 

20 

0.9 

82.4 

9.6E-05 
(1 in 10,000) 

SRB separation pyro-bolts fail to separate (includes PIC/NSI) 

Ascent 

Ascent 

21 

0.8 

83.3 

9.4E-05 
(1 in 11,000) 

Common cause failure of the Electrical Power System (EPS) on 
orbit 

Orbit 

Orbit 

22 

0.8 

84.1 

9.3E-05 
(1 in 11,000) 

Flight control surface (elevons, rudder, body flap) actuators 
fail/jam during entry 

Entry 

Entry 

23 

0.8 

84.9 

9.2E-05 
(1 in 11,000) 

ET leaks result in fire/explosion 

Ascent 

Ascent 

24 

0.8 

85.7 

9.1E-05 
(1 in 11,000) 

Common cause failure of the APU System on entry 

Entry 

Entry 

25 

0.8 

87.0 

9.0E-05 
(1 in 11,000) 

Frangible nuts on SRB holdown bolts fail during launch (includes 
PIC/NSI) 

Ascent 

Ascent 
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Rank 

%age of 
Total 

Cumulative 
Total % 

Probability 

Description 

Phase Initiated 

Phase Realized 

26 

0.7 

87.8 

8.4E-05 
(1 in 12,000) 

Control or mechanical failure causes Main 
Propulsion System (MPS) prevalves to fail to close 

Ascent 

Ascent 

27 

0.7 

88.5 

7.5E-05 
(1 in 13,000) 

Fuel supply failure to the OMS during orbit and crew 
rescue fails 

Orbit 

Orbit 

28 

0.7 

89.1 

7.5E-05 
(1 in 13,000) 

MPS failures lead to helium overpressure on ascent 

Ascent 

Ascent 

29 

0.7 

89.8 

7.5E-05 
(1 in 13,000) 

MPS component failures cause a catastrophic 
overpressure condition in the aft compartment 
during entry 

Entry 

Entry 

30 

0.5 

90.3 

6.0E-05 
(1 in 17,000) 

RCS thruster fail leak or off on orbit 

Orbit 

Orbit 

31 

0.5 

86.2 

5.7E-05 
(1 in 18,000) 

Orbiter flight software error results in catastrophic 
failure during entry 

Entry 

Entry 

32 

0.5 

90.8 

5.7E-05 
(1 in 18,000) 

Flow Control Valve (FCV) poppet failure causes 
excessive GH2 ullage pressure resulting in LH2 
venting 

Ascent 

Ascent 

33 

0.5 

91.3 

5.5E-05 
(1 in 18,000) 

SSME-induced benign shutdown of the SSME 

Ascent 

Ascent 

34 

0.4 

91.8 

4.9E-05 
(1 in 20,000) 

Debonding of TPS during ascent 

Ascent 

Orbit, Entry 

35 

0.4 

92.2 

4.6E-05 
(1 in 22,000) 

APU external leak on ascent 

Ascent 

Ascent 

36 

0.3 

92.5 

3.9E-05 
(1 in 26,000) 

Loss of SRB TPS 

Ascent 

Ascent 

37 

0.3 

92.9 

3.8E-05 
(1 in 26,000) 

Structural failure of the ET during ascent. 

Ascent 

Ascent 

38 

0.3 

93.2 

3.8E-05 
(1 in 27,000) 

Loss of ET anti-vortex capability leads to SSME 
catastrophic overspeed 

Ascent 

Ascent 

39 

0.3 

93.5 

3.4E-05 
(1 in 29,000) 

Orbiter structural failures 

Ascent 

Ascent 
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Rank 

%age of 
Total 

Cumulative 
Total % 

Probability 

Description 

Phase Initiated 

Phase Realized 

40 

0.3 

93.8 

3.3E-05 
(1 in 30,000) 

Fuel cell leak and a subsequent failure of the crew to 
respond appropriately causes a catastrophic failure 

Orbit 

Orbit 

41 

0.3 

94.1 

3.2E-05 
(1 in 31,000) 

Water Coolant Loop component failure results in a 
cooling failure on orbit 

Orbit 

Orbit 

42 

0.3 

94.4 

3.1E-05 
(1 in 32,000) 

Orbit inspections (Flight Day 2 and late) result in 
damage to the TPS 

Orbit 

Orbit 

43 

0.3 

94.6 

2.9E-05 
(1 in 34,000) 

ET failure causes a fuel feed anomaly, resulting in 
SSME shutdown due to insufficient net positive 
suction pressure 

Ascent 

Ascent 

44 

0.3 

94.9 

2.9E-05 
(1 in 34,000) 

Landing Deceleration System (LDS) brake failures 

Entry 

Entry 

45 

0.2 

95.1 

2.7E-05 
(1 in 38.000) 

Common cause failure of the Data Processing System 
(DPS) on orbit 

Orbit 

Orbit 

46 

0.2 

95.4 

2.5E-05 
(1 in 40,000) 

Mechanisms failure and subsequent failure of a crew 
rescue attempt 

Ascent, Orbit 

Orbit 

47 

0.2 

95.6 

2.3E-05 
(1 in 44,000) 

Flight Software error result in catastrophic failure 
during orbit 

Orbit 

Orbit 

48 

0.2 

95.7 

2.1E-05 
(1 in 48,000) 

Flight control surface (elevons, rudder, body flap) 
actuators fail/jam during ascent 

Ascent 

Ascent 

49 

0.2 

95.9 

2.1E-05 
(1 in 49,000) 

Loss of Active Thermal Control System (ATCS) 
cooling due to ammonia (NH3) tank rupture on orbit 

Orbit 

Orbit 

50 

0.2 

96.1 

2.0E-05 
(1 in 51,000) 

Pyrotechnic Initiator Controller (PIC) failure during 
SRB ignition 

Ascent 

Ascent 

51 

0.2 

96.3 

1.9E-05 
(1 in 51,000) 

MPS G02 or GH2 disconnect valves fail closed, 
causing SSME shutdown due to insufficient net 
positive suction pressure 

Ascent 

Ascent 
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%age of 
Total 

Cumulative 
Total % 

Probability 

Description 

Phase Initiated 

Phase Realized 

52 

0.2 

96.4 

1.9E-05 
(1 in 51,000) 

Cabin depressurization due to leaks beyond the make-up capability of 
the Pressure Control System (e.g., penetration leaks) or pressure 
control system fails 

Orbit 

Orbit, Entry 

53 

0.2 

96.6 

1.9E-05 
(1 in 52,000) 

Active Vent Door (AVD) failure on entry 

Entry 

Entry 

54 

0.2 

96.8 

1.8E-05 
(1 in 54,000) 

MPS disconnect valves fail in the closed position during ascent 

Ascent 

Ascent 

55 

0.2 

96.9 

1.7E-05 
(1 in 59,000) 

Flight Control System (FCS) switching valve fails during entry 

Entry 

Entry 

56 

0.2 

97.1 

1.7E-05 
(1 in 59,000) 

Catastrophic fire/explosion due to MPS interface leakages 

Ascent 

Ascent 

57 

0.1 

97.2 

1.6E-05 
(1 in 61,000) 

Common cause failure of two APUs, Hydraulic Systems, or WSBs result 
in a failure to land the Orbiter with a single APU in high cross winds 

Ascent, Entry 

Entry 

58 

0.1 

97.4 

1.4E-05 
(1 in 73,000) 

LDS, APU, hydraulic, or WSB component failure results in a failure to 
properly deploy or a structural failure of the landing gear 

Entry 

Entry 

59 

0.1 

97.5 

1.3E-05 
(1 in 74,000) 

Environmental Control and Life Support System (ECLSS) 02 
oversupply on orbit leads to fire 

Orbit 

Orbit 

60 

0.1 

97.6 

1.3E-05 
(1 in 74,000) 

Common cause failure of the Orbiter APU/Hydraulics/Water Spray 
Boiler (WSB) System components during ascent 

Ascent 

Ascent 

61 

0.1 

97.7 

1.3E-05 
(1 in 76,000) 

FCS gear box loses output or jams 

Entry 

Entry 

62 

0.1 

97.8 

1.3E-05 
(1 in 77,000) 

OMS failure and insufficient RCS propellant (+X jets unavailable) result 
in deorbit failure 

Orbit 

Orbit 



SPACE SHUTTLE PROGRAM 

Space Shuttle Safety and Mission Assurance Office 

NASA Johnson Space Center, Houston, Texas 


COMPLETE LIST OF SPRA ITERATION 3.2 

Presenter Roger Boyer 

CONTRIBUTIONS BY SCENARIO (6) 

Date 10 / 26/10 

Page 23 


Rank 

%age of 
Total 

Cumulative 
Total % 

Probability 

Description 

Phase Initiated 

Phase Realized 

63 

0.1 

97.9 

1.3E-05 
(1 in 80,000) 

Electrical failure during orbit 

Orbit 

Orbit, Entry 

64 

0.1 

98.0 

1.2E-05 
(1 in 81,000) 

APU heater fails on and human error failure results in 
catastrophic failure on orbit 

Orbit 

Orbit 

65 

0.1 

98.2 

1.2E-05 
(1 in 83,000) 

Loss of OMS due to improper targeting of OMS burn (human 
error) 

Orbit 

Orbit 

66 

0.1 

98.2 

1.0E-05 
(1 in 96,000) 

Common cause failure of Guidance Navigation and Control 
(GN&C) (failure of crew rescue for failures occurring on orbit) 

Ascent, Orbit, 
Entry 

Ascent, Orbit, 
Entry 

67 

0.1 

98.3 

9.9E-06 
(1 in 100,000) 

Cabin Fan System failure combined with a human error during 
landing brought about by high heat or humidity 

Orbit 

Entry 

68 

0.1 

98.4 

8.3E-06 
(1 in 120,000) 

Independent failure of two APUs, Hydraulic Systems, or WSBs 
result in a failure to land the Orbiter in high cross winds 

Ascent, Entry 

Entry 

69 

0.1 

98.5 

8.1E-06 
(1 in 120,000) 

MPS liquid H2 feedline flowliner crack leads to fire/explosion 
due to feedline contamination 

Ascent 

Ascent 

70 

0.1 

98.5 

7.3E-06 
(1 in 140,000) 

FCS switching valve fails during ascent 

Ascent 

Ascent 

71 

0.1 

98.6 

6.6E-06 
(1 in 150,000) 

Landing Deceleration System (LDS) tire ruptures 

Entry 

Entry 

72 

0.1 

98.7 

6.6E-06 
(1 in 150,000) 

Flash Evaporator System freeze up and failure to recover leads 
to LOCV during entry 

Orbit, Entry 

Entry 

73 

0.1 

98.7 

6.6E-06 
(1 in 150,000) 

Rudder speed brake jams during entry 

Entry 

Entry 

74 

0.1 

98.8 

6.6E-06 
(1 in 150,000) 

Fire/explosion resulting from the auto-decomposition of 
hydrazine due to a leak in the SRB APU fuel pump 

Ascent 

Ascent 
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%age of 
Total 

Cumulative 
Total % 

Probability 

Description 

Phase Initiated 

Phase Realized 

75 

0.1 

98.8 

6.1E-06 
(1 in 160,000) 

Trapped fuel due to FRCS failure prior to de-orbit 
preparation combined with failure of recovery 
measures results in CG imbalance 

Orbit 

Entry 

76 

0.1 

98.9 

5.9E-06 
(1 in 170,000) 

Common cause failure of all N2 relief valves to close 
on Ascent combined with failure of crew rescue 

Ascent 

Orbit 

77 

0.1 

98.9 

5.7E-06 
(1 in 170,000) 

Fire/explosion caused by MPS contamination 

Ascent 

Ascent 

78 

0.1 

99.0 

5.7E-06 
(1 in 180,000) 

Icicle formed at the water dump breaks off and 
damages the Orbiter 

Orbit 

Entry 

79 

0.1 

99.0 

5.6E-06 
(1 in 180,000) 

Drag chute door opens prematurely leading to 
LOCV 

Ascent, Entry 

Ascent, Entry 
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Communicating & Documenting 
Risk Results and Insights to Decision-maker 

□ Displaying the results in tabular and graphical forms 

□ Ranking of risk scenarios 

□ Ranking of individual events (e.g., hardware failure, 
human errors, etc.) 

□ Insights into how various systems interact 

□ Tabulation of all the assumptions 

□ Identification of key parameters that greatly influence 
the results 

□ Presenting results of sensitivity studies 

□ Proposing candidate mitigation strategies 


